March 29, 2006 4:00 AM PST

Suffering in silence with data leaks

Lynn Perry was living an online shopping nightmare.

A hacker had snatched her home address and phone and credit card numbers--even the three-digit security code printed on the back of her credit card--and was offering them to anyone willing to pay the asking price: $5.

Perry, a copyright attorney from Mill Valley, Calif., was among 10 people whose personal data was posted last month on a Web site that specializes in the trafficking of stolen information. Even worse, no one bothered to tell her that her credit card information had been compromised.

It's likely that no one was required to do so. Much to the chagrin of consumer advocates, the disclosure laws passed by 23 states during the past three years have had little impact when it comes to ensuring consumers are notified about data theft or loss.

Most existing laws allow merchants plenty of wiggle room when deciding whether to tell customers about such breaches, legal and security analysts said. The majority of state laws, for example, allow a company to stay mum about a robbery, if disclosing it would interfere with a police investigation.

That's a huge loophole that could be used in almost every incidence of stolen data, said Dan Clements, CEO of CardCops.com, a company that tracks the sale of stolen credit cards on the Web. Every law enforcement agency that receives a crime report is going to consider the case "under investigation," he said.

"Only about 10 percent of the merchants do the right thing and notify customers when there is a compromise," Clements said. "Most want to sweep the hack under the rug. Their motivation is clear; they don't want to lose their customers' trust."

Behind the break-ins
The issue of disclosure has taken on greater urgency in the wake of what analyst Avivah Litan of research firm Gartner has called the "most significant data theft ever."

A national retailer suffered a data breach late last year and thieves managed to steal debit card information, including personal identification numbers (PINs), from thousands of consumers across the country. After reports of fraud began to pile up, dozens of banks and credit unions across the country began replacing more than 200,000 debit cards.

Perry lost her personal information in a far smaller incident. She and six other people interviewed by CNET News.com whose details were being sold on the same Web site had one thing in common: They shopped at online electronics store JDM Infrastructure. But none of the victims knew their information had been stolen because JDM Infrastructure had never notified them, they said.

"Only about 10 percent of the merchants do the right thing and notify customers when there is a compromise."
--Dan Clements, CEO, CardCops.com

While John Marks, chief executive of JDM Infrastructure, acknowledged that the company knew about a computer break-in, he said no customer data was lost. The online electronics reseller doesn't store such information, he said. But regardless of who lost it, did Marks feel compelled to warn customers of the potential threat of identity theft?

"We did everything we we're supposed to do," Marks said.

Marks may well be right, but consumer advocates are alarmed by such attitudes.

"Companies who lose this kind of information owe it to their customers to take responsibility," said Christopher Goetcheus, spokesman for the Massachusetts Office of Consumer Affairs. "We want companies to treat their customers' trust as their most important asset."

On the lawbooks
To understand the problem with disclosure laws around the U.S., California's SB 1386 is a good place to start, because most other state laws were patterned after it.

Passed in September 2002, the California law allows a merchant to stay quiet about a digital data breach if the information lost was encrypted. This could apply even if the "key" to unlock the encryption was also stolen, analysts said. In addition, the state law is unclear on the issue of a merchant's responsibility, if the company's technology provider, such as a Web hosting company, suffered an intrusion.

The law also requires notification to any resident "whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." But it offers no criteria for determining "reasonable" belief. Merchants are left to decide for themselves what is reasonable, legal experts said.

While California's laws allow plenty of leeway to merchants, consumer advocates say New York's state disclosure laws are a model for consumer protection. Passed in August 2005, S03492 requires any data compromise that has exposed the personal information of New York residents to be disclosed.

CONTINUED: Waiting game…
Page 1 | 2

See more CNET content tagged:
merchant, debit card, credit card, law, California

16 comments

Join the conversation!
Add your comment
Where is the consumer protection in any of this?
I would like to inform all the read this the year is 2006.

1. 1 in 8 adults have had there identity stolen with that number
steadily rising.

2. It takes a Congressman in Ohio to pass a law in Iowa against
identity theft.

3. NewYork has the best consumer protection but might not very
well be enough due to Federal Guidelines.

What "in the pickles" is wrong with all three of those statements
above? I'll tell you what is wrong -- no consistency! Anywhere!

And we as a society are supposed to embrace a technology that
would allow us to simply hit up a web site, order our favorite
product or products, and see it in three days without ever
leaving the house. Mmmmn convenience!

Now that's a grandiose notion due to politician's and big
business who's sole purpose is to keep there clients in lieu of
money. How are we supposed to feel safe in cyberspace let alone
real space knowing that our data could be stolen from any one
of those big business like Amazon or Ebay.

The only people that are being saved is the business' selling the
product or service. They get to continue to keep there clients
and there clients money while leaving there clients to fend off
the thieves' aftermath.

FYI, server administrators are paid to ensure that servers are up
to date and patched. After all, that is how data is stolen and
servers hacked, un-patched programs that reside on a server. So
why shouldn't business' be made RESPONSIBLE for not patching
servers?

It is a known fact that exploits are taken and used against these
very companies to get to your data using readily available tool
from the net. Because these companies find it "expensive" in
some sorts to maintain the patches they just leave the servers
unsecured. In return making these companies easy targets for
hackers.

"I guess it's ok to pay your Network Administrator $100,000 a
year to replace keyboards. Personally I think his talent is useful
in other places, but what would I know (www.Tech01.net)?"

Where are the people in all of this? After all, we are trying to
protect the "People's" data. Here's a freebie for all you
politician's, especially Bush.

How about a Federal Law making ANYBODY's server that holds
ANY PERSON DATA of CLIENTS either POTENTIAL or CURRENT
report ANY breaches in the respected databases.

Here's a little bone to add to that:
If a server is breached it must also be reported to the FBI and
logged. Then if deammed the responsibily of the business was
at fault then a $75,000 fine be imposed on the company.

Gee, look at that, a commoner makes a one paragraph law that
makes sense and works across the board to ensure "The People
of the United States of America" are protected against such
crimes as Identity Theft as well as Cyber Theft.

~Justin
www.Tech01.net
Posted by OneWithTech (196 comments )
Reply Link Flag
Where is the consumer protection in any of this?
I would like to inform all the read this the year is 2006.

1. 1 in 8 adults have had there identity stolen with that number
steadily rising.

2. It takes a Congressman in Ohio to pass a law in Iowa against
identity theft.

3. NewYork has the best consumer protection but might not very
well be enough due to Federal Guidelines.

What "in the pickles" is wrong with all three of those statements
above? I'll tell you what is wrong -- no consistency! Anywhere!

And we as a society are supposed to embrace a technology that
would allow us to simply hit up a web site, order our favorite
product or products, and see it in three days without ever
leaving the house. Mmmmn convenience!

Now that's a grandiose notion due to politician's and big
business who's sole purpose is to keep there clients in lieu of
money. How are we supposed to feel safe in cyberspace let alone
real space knowing that our data could be stolen from any one
of those big business like Amazon or Ebay.

The only people that are being saved is the business' selling the
product or service. They get to continue to keep there clients
and there clients money while leaving there clients to fend off
the thieves' aftermath.

FYI, server administrators are paid to ensure that servers are up
to date and patched. After all, that is how data is stolen and
servers hacked, un-patched programs that reside on a server. So
why shouldn't business' be made RESPONSIBLE for not patching
servers?

It is a known fact that exploits are taken and used against these
very companies to get to your data using readily available tool
from the net. Because these companies find it "expensive" in
some sorts to maintain the patches they just leave the servers
unsecured. In return making these companies easy targets for
hackers.

"I guess it's ok to pay your Network Administrator $100,000 a
year to replace keyboards. Personally I think his talent is useful
in other places, but what would I know (www.Tech01.net)?"

Where are the people in all of this? After all, we are trying to
protect the "People's" data. Here's a freebie for all you
politician's, especially Bush.

How about a Federal Law making ANYBODY's server that holds
ANY PERSON DATA of CLIENTS either POTENTIAL or CURRENT
report ANY breaches in the respected databases.

Here's a little bone to add to that:
If a server is breached it must also be reported to the FBI and
logged. Then if deammed the responsibily of the business was
at fault then a $75,000 fine be imposed on the company.

Gee, look at that, a commoner makes a one paragraph law that
makes sense and works across the board to ensure "The People
of the United States of America" are protected against such
crimes as Identity Theft as well as Cyber Theft.

~Justin
www.Tech01.net
Posted by OneWithTech (196 comments )
Reply Link Flag
Disgusting. STOP SHOPPING ONLINE is the only asnwer
Until merchants can prove our information is safe. Right now, I always have a feeling that nothing is safe.
Posted by ordaj (338 comments )
Reply Link Flag
Disgusting. STOP SHOPPING ONLINE is the only asnwer
Until merchants can prove our information is safe. Right now, I always have a feeling that nothing is safe.
Posted by ordaj (338 comments )
Reply Link Flag
Breaches occur often. Companies do not know
There are probably 2 to 3 more time the breaches than we are ever told about.
Most private companies are too worried about customers and revenue to put in proper security and to perform checks and audits of that security.
Of the three large employers with commerce-based web sites I have worked for, only one would know if there was a breach.
One company, an austin-based promo products company, has had many questionable problems and never tells the customers it has about the problems. The whole company is run on pirated software and every exec has known about the problems and the priating for over 5 years.
Yet they continue to generate millions in revenue every year and they have Banks and Hospitals as a customer!
As an employee I cannot tell the customers or I will get fired and sued. Contacting government agencies does nothing, and even sending a list of the priated software to the BSA accomplishes nothing.
Any idiot can setup a web site and take money. There is nothing to compel them to manage security or software licenses. Its a very sad state. Use cash and do not buy online.
Posted by FarmerChet (6 comments )
Reply Link Flag
Breaches occur often. Companies do not know
There are probably 2 to 3 more time the breaches than we are ever told about.
Most private companies are too worried about customers and revenue to put in proper security and to perform checks and audits of that security.
Of the three large employers with commerce-based web sites I have worked for, only one would know if there was a breach.
One company, an austin-based promo products company, has had many questionable problems and never tells the customers it has about the problems. The whole company is run on pirated software and every exec has known about the problems and the priating for over 5 years.
Yet they continue to generate millions in revenue every year and they have Banks and Hospitals as a customer!
As an employee I cannot tell the customers or I will get fired and sued. Contacting government agencies does nothing, and even sending a list of the priated software to the BSA accomplishes nothing.
Any idiot can setup a web site and take money. There is nothing to compel them to manage security or software licenses. Its a very sad state. Use cash and do not buy online.
Posted by FarmerChet (6 comments )
Reply Link Flag
Corporate Slackers
Corporate slackers, pay peanuts for computer security, that's what you get, wholesale theft of data held in any corporate computer!

But since in most corporations, we pay inflated salaries with similar large amounts of funds to their over inflated expense accounts(Jack's style) and share options, at the end of the day, there is no funds left in the kitty, for any form of data security!

Alas , you pay for what you get and get what you pay for! , but you can't get much security for peanuts!

Some choices in real life, can be very costly for some!
Posted by heystoopid (691 comments )
Reply Link Flag
Corporate Slackers
Corporate slackers, pay peanuts for computer security, that's what you get, wholesale theft of data held in any corporate computer!

But since in most corporations, we pay inflated salaries with similar large amounts of funds to their over inflated expense accounts(Jack's style) and share options, at the end of the day, there is no funds left in the kitty, for any form of data security!

Alas , you pay for what you get and get what you pay for! , but you can't get much security for peanuts!

Some choices in real life, can be very costly for some!
Posted by heystoopid (691 comments )
Reply Link Flag
freezing your credit doesn't work either
Knowing that I was going to take out a line of credit on my house in a month, I ran a little test. I notified the 3 major credit agencies that my identity may have been stolen, then waited until they confirmed in writing that my credit files had been appropriately flagged. Then I applied for the $100,000 line of credit against my house, and got it, and none of them contacted me about it. Where's the protection?
Posted by mikew12345 (2 comments )
Reply Link Flag
YOU'RE not protected...
THEY'RE protected. Protected from spending any money or effort to take care of anything.
Posted by ordaj (338 comments )
Link Flag
There is a difference between a freeze and a watch
only people in a few states can freeze an account right now I believe. Watches don't work that is for sure.

Did you freeze or just put on a watch?
Posted by drizzit (3 comments )
Link Flag
freezing your credit doesn't work either
Knowing that I was going to take out a line of credit on my house in a month, I ran a little test. I notified the 3 major credit agencies that my identity may have been stolen, then waited until they confirmed in writing that my credit files had been appropriately flagged. Then I applied for the $100,000 line of credit against my house, and got it, and none of them contacted me about it. Where's the protection?
Posted by mikew12345 (2 comments )
Reply Link Flag
YOU'RE not protected...
THEY'RE protected. Protected from spending any money or effort to take care of anything.
Posted by ordaj (338 comments )
Link Flag
There is a difference between a freeze and a watch
only people in a few states can freeze an account right now I believe. Watches don't work that is for sure.

Did you freeze or just put on a watch?
Posted by drizzit (3 comments )
Link Flag
What's the REAL Problem here?
Information is stolen all the time. Much of it hits the news.

But the problem as I see it here is that customer's PIN information is also stored online as well.

THAT INFORMATION FOLKS!!! is WHAT SHOULD NEVER BE STORED!!!

They claim they did every thing possible... but apparently that didn't include NOT storing the PIN number...

So if ya ask me... They DIDN'T do everything possible... either before (storing the PIN) OR afterwards (notifying their customer's of the breach).

Whether it's required by law or not is another issue!!! The common sense thing to do (laws or not) is to notify those whom are affected... which they didn't do!

So in my book... they're guilty on both accounts of NOT doing EVERYTHING possible in the PRE-BREACH as well as NOT doing EVERYTHING possible in the POST-BREACH!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
What's the REAL Problem here?
Information is stolen all the time. Much of it hits the news.

But the problem as I see it here is that customer's PIN information is also stored online as well.

THAT INFORMATION FOLKS!!! is WHAT SHOULD NEVER BE STORED!!!

They claim they did every thing possible... but apparently that didn't include NOT storing the PIN number...

So if ya ask me... They DIDN'T do everything possible... either before (storing the PIN) OR afterwards (notifying their customer's of the breach).

Whether it's required by law or not is another issue!!! The common sense thing to do (laws or not) is to notify those whom are affected... which they didn't do!

So in my book... they're guilty on both accounts of NOT doing EVERYTHING possible in the PRE-BREACH as well as NOT doing EVERYTHING possible in the POST-BREACH!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.